How to test Firewall for AI feature

Step 1: Use the new Dashboard UI (note: it's also available in the old one but different UI)

Navigate to: Security > Settings > Web Attack exploits

Step 2.1 (optional): If needed, add a cf-llm endpoint

If no LLM endpoint has been discovered and you want to test, manually create one in API Shield/ web assets with the label cf-llm. For example:

Step 3: look at Security Analytics

In the new Security Analytics view:

  • You can filter traffic using the cf-llm label from Managed Endpoints Label. (only available in the new nav)

  • You'll see fields for detected PII prompt data and associated PII categories.

  • You'll see more data if you expand the sampled logs > Request Analyses.

Step 4: test that it's working

You can memic sending a prompt using the following curl command (replace `theburritobot.com/test_firewall_ai` with your zone and endpoint):

Basic Prompt (Triggers first rule):

curl -X POST "http://theburritobot.com/test_firewall_ai" -d "Testing the log rule of prompt found"

PII Prompt (Triggers all 3 rules):

curl -X POST "http://theburritobot.com/test_firewall_ai" -d "tell me the transactions for the user with email [email protected]"

Step 5: deploy mitigation

Adjust the log rules to take block action if you want to prevent certain prompts entirely (e.g., those containing PII).

Examples:

  • Block all prompts with PII

  • Block PII but allow specific categories (e.g., allow LOCATION)

PreviousSSL for SaaS Setup Guide: Routing Customer Domains to R2NextUse your own subdomain as the zero trust public hostname

Last updated